Software-based systems are increasingly dynamic in their functionality and communications behavior. In fields such as DevOps, continuation integration, source code control, and the Internet of Things (IoT), the content of software applications and code portions are rapidly changing, both before and during deployment. In some cases, the changes arise from software functionality that occurs automatically based on some detected system or environment condition, Examples include application-to-application communications or operations, load balancing applications automatically responding to changing network load conditions, cybersecurity threat detection systems automatically identifying and responding to potential attacks, connected vehicles automatically observing and adapting to changing road conditions, smart home appliances automatically predicting and remembering usage patterns, and many more. Using practices such as DevOps and continuous integration, software is rapidly being deployed into live environments, which may in turn result in the software affecting multiple different data centers or cloud providers across distinct systems and platforms.
Beneath this ever-changing outer appearance of software-based systems is often a multitude of applications or code segments. Many such systems use small software building blocks, such as micro services, that perform discrete functions in concert with each other to achieve an overall function or service. It is thus becoming uncommon for software-based systems to operate using a single, monolithic software application, or even a small number of such applications.
Because of the dynamically changing and complex nature of modern software-based systems, it is often difficult to know exactly what applications should be running, under what conditions, and what they should be permitted to do in a network. Existing attempts to add security to such environments add discrete controls to particular software flows or processes. For example, firewalls may attempt to limit network communications to known and permitted behavior, and whitelists for software functionality may attempt to limit code execution to known sequences (e.g., with code flow integrity approaches). This piecemeal approach is flawed and difficult to implement, however, because security vulnerabilities may exist at different layers of a software-based system and throughout many different application processes. The result is a few “security islands” without comprehensive security from the beginning of a process to its end or result state. Such approaches are constantly trying to identify and protect the weakest links in application processes, but do not succeed because of the complexity and dynamism of modern software deployments. Further, such techniques are inherently unable to protect against unknown or unappreciated portions of processes that may be security vulnerabilities. Because such gaps are unknown or unappreciated from a security standpoint, they go overlooked and thus unprotected.
Accordingly, in view of these and other deficiencies in existing techniques, technological solutions are needed for providing adaptive, customized, and flexible security in networks with dynamically changing software applications. Such techniques should be able to learn existing process flows in a network and adapt to detect the weakest links in such processes. By identifying the weakest link in a process, malicious or harmful activity may be detected so that the activity cannot continue through its associated process flow and harm a network or devices connected to the network. Further, such techniques should be able to continuously adjust in response to new learned process flows in the network. Through such techniques, various anomalies or threats in application processes may be identified, such as code injection, improper credential usage, irregular credential usage, new communication paths, new process flows, new user identities being involved, and more.